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Abstract. The simple security property in an information flow policy 
can be enforced by encrypting data objects and distributing an appro¬ 
priate secret to each user. A user derives a suitable decryption key from 
the secret and publicly available information. A chain-based enforce¬ 
ment scheme provides an alternative method of cryptographic enforce¬ 
ment that does not require any public information, the trade-off being 
that a user may require more than one secret. For a given information 
flow policy, there will be many different possible chain-based enforcement 
schemes. In this paper, we provide a polynomial-time algorithm for se¬ 
lecting a chain-based scheme which uses the minimum possible number 
of secrets. We also compute the number of secrets that will be required 
and establish an upper bound on the number of secrets required by any 
user. 


1 Introduction 

Access control is a fundamental security service in modern computing systems 
and seeks to restrict the interactions between users of the system and the re¬ 
sources provided by the system. Generally speaking, access control is policy- 
based, in the sense that a policy is defined by the resource owner(s) specifying 
those interactions that are authorized. An attempt by a user to interact with a 
protected resource, typically called an access request, is evaluated by a trusted 
software component, the policy decision point (or authorization decision func¬ 
tion), to determine whether the request should be permitted (if authorized) or 
denied (otherwise). The use of a policy decision point is entirely appropriate 
when we can assume the policy will be enforced by the same organization that 
defined it. However, use of third-party storage, privacy policies controlling access 
to personal data, and digital rights management all give rise to scenarios where 
this assumption does not hold. 

An alternative approach to policy enforcement, and one that has attracted 
considerable interest in recent years, is to encrypt the protected object and enable 
authorized users to derive decryption keys. This approach is particularly suitable 
for data that changes infrequently, for read-only policies, and for policies that can 
be represented in terms of user attributes. Research into cryptographic access 
control began with the seminal work of Akl and Taylor [2] on the enforcement of 
information flow policies, and has seen a resurgence of interest in recent years. 
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Generally, it is undesirable to provide a user with all the keys she requires 
to decrypt protected objects. Instead, a user is given a small number of secrets 
from which she is able to derive all keys required. Thus a cryptographic enforce¬ 
ment scheme may be characterized by(i) the number of secrets each user has 
to store, (ii) the total number of secrets, (iii) the amount of auxiliary (public) 
information required for key derivation, and (iv) the amount of time required 
for key derivation. 

Many schemes in the literature provide each user with a single secret [3,11], 
the trade-off being that the amount of public information and derivation time 
may be substantial. In contrast, chain-based schemes require no public infor¬ 
mation but each user may require more than one secret [9,14,15]. In addition, 
chain-based schemes can achieve very strong security properties [15]. There are 
many different ways to instantiate a chain-based scheme for a given policy, each 
instantiation being defined by a chain partition of the partially ordered set that 
defines the policy. 

However, existing work on chain-based CESs assumes the existence of a chain 
partition and simply generates the required secrets and keys for this partition [9, 
14,15]. This approach ignores the fact that there will be (exponentially) many 
choices of chain partition. Thus, it is important, if we are to make best use 
of chain-based CESs, that we know which chain partition to use for a given 
information flow policy. It is this issue that we address in this paper. 

Contributions. Our first contribution (Theorem 2) is to show how K{n), the 
(total) number of secrets for a chain partition 77, is related to the set of edges in 
the representation of 77 as an acyclic directed graph. We then prove that 77(77) 
is determined by the end-points of the chains in 77 (Lemma 2). This, in turn, 
allows us to prove there exists a chain partition that simultaneously minimizes 
the number of secrets required and the number of chains in the partition (The¬ 
orem 3). The last result is somewhat unexpected, as it is not usually possible to 
simultaneously minimize two different parameters. The result is also of practical 
importance, since the number of chains in 77 provides a tight upper bound on 
the number of secrets required by any one user. Our main contribution (Theo¬ 
rem 1 and Section 4) is to develop a polynomial-time algorithm that enables us 
to hnd a chain partition 77 such that 77(77) and the number of chains is mini¬ 
mized (with respect to all chain partitions). Our algorithm is based on finding 
an optimal feasible flow in a network and makes use of the characterization of 
the number of secrets in terms of the set of edges (established in Theorem 2) to 
define the capacities of the edges in the network. We thereby provide rigorous 
foundations for the development of efficient chain-based enforcement schemes. 

Paper structure. In the next section, we provide the relevant background on 
cryptographic enforcement schemes, formally define the problem, and state The¬ 
orem 1. In Sec. 3, we state and prove Theorems 2 and 3 and Lemma 2. In Sec. 4, 
we develop an efficient algorithm to derive the best chain partition and prove 
Theorem I. We conclude the paper with a summary of our contributions and 
some ideas for future work. 
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Fig. 1: The Hasse diagram of a simple poset 

2 Background and Problem Statement 

A partially ordered set (or poset) is a pair (AT, ^), where ^ is a reflexive, anti¬ 
symmetric, transitive binary relation on X. We may write x ^ y whenever y ^ x, 
and y < X whenever y ^ x and y ^ x. Given a poset (AT, ^), it is convenient to 
introduce the following notation. 

4.x {y G AT : j/ < x} and '\x‘^= {y & X ■. y ^ x} 

We will also make use of the following terminology and notation. 

— We say x covers y, denoted y < x, if y < x and there does not exist z € X 
such that y < z < X. We say y is a child of x if y < x (and x is a parent of 

y)- 

— The Hasse diagram of a poset is the directed acyclic graph H = {X,Eq), 
where xy G Eq if and only if y < x. 

— X is a tree if no element of X has more than one parent and X has a unique 
maximum element. 

— Y C X is a chain (or total order) if for x,y € Y, x < y oi x = y or y < x. 
{Cl,... ,Ci\ is a chain partition (of (X, ^)) if C* C X is a chain, CifiCj = 0 
if i ^ j, and CiU ■ ■ ■ U Ce = X. 

— Y C X is an antichain if for x, y G X, x ^ y if and only if x = y. (In other 
words, for X y in an antichain, x ^ y and y ^ x.) The width of a poset is 
the cardinality of an antichain of maximum size. 

An illustrative Hasse diagram is shown in Fig. 1. In the poset depicted, 
{a,d,f} is a chain, for example, and {d,e} is an antichain of maximum size. 
Thus the width of this poset is 2 and one chain partition of cardinality 2 is 
{{a,c,e,g,h} ,{b, d,f}}. 

Definition 1. An information flow policy is a tuple (X, ^,U,0,\), where: 

— (X, is a (finite) partially ordered set of security labels; 

— U is a set of users and O is a set of objects; 

— A:[/UO—5-X is a security function that associates users and objects with 
security labels. 
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The simple security property requires that user u G U can read an object o G O 
if and only if X{u) ^ A(o). 

We may define an equivalence relation ~ on { 7 , where m ~ u if and only if 
X{u) = X{v). We write Ux to denote {u G U : X{u) = a:}; U is partitioned into the 
set of equivalence classes {Ux ■ x G X}. Similarly, Ox O is the set of objects 
having security label x G X. Thus, the simple security property guarantees that 
any o G Ox can be read by a user u G Uy for any y ^ x. Conversely, u G Uy can 
read o G Ox for any x ^ y. Henceforth, we will represent an information flow 
policy (X, <, [/, O, A) as a pair (X,^) with the tacit understanding that U, O 
and A are given. 

2.1 Cryptographic Enforcement of Information Flow Policies 

One way of enforcing the simple security property (for policy (X, ^)) is to en¬ 
crypt o G Oy with a (symmetric) key k{y) and provide all users in Ux, where 
X y with the key k{y). An alternative is to provide a user u in Ux with a 
smaller number of keys (typically a single key for label x) and enable u to derive 
keys for all y such that y < x. However, this introduces the possibility that users 
may be able to collude and use their keys to derive a key that no single user 
could derive. 

More formally, there exists the notion of a cryptographic enforcement scheme 
(CES), defined by the SetUp and Derive algorithms, SetUp being used to gen¬ 
erate secrets and keys and the data used to derive secrets and keys, and Derive 
being used to compute secrets and keys. Let K, denote an arbitrary key space 
(typically JC = {0,1}* for some I G N). Then SetUp and Derive have the following 
characteristics. 

— SetUp takes as input a security parameter p and information flow policy 

(A,<). 

It outputs, for each element x G X, a. pair (a(x), k(x)): the secret cr(x) is 
given to all users in Ux', cf{x) is used to derive secrets and/or keys for labels 
y Gi x; and the key k(x) G K. is used to encrypt data objects in Ox- 
The SetUp algorithm also outputs a set of public information Pub, which is 
used for the derivation of secrets and keys. 

— Derive takes as input {X, <), Pub, start and end points x,y G X and cj{x). 
It outputs kIjj) € /C if and only ii y Gi x. (In particular, k{x) can be derived 
from a{x).) 

The requirement that Derive outputs K{y) (given a{x)) if j/ ^ a; is a correct¬ 
ness criterion, which ensures an authorized user can derive the keys required 
to decrypt objects. We also require a security criterion. Informally, the strong 
key-indistinguishability criterion requires the following. 

There is no polynomial time algorithm, given z G X, a set of secrets 
(j(Y) = {a{y) : y GY} such that z ^ y for any y gY, and k{x) for all 
X ^ z (and the public information Pub), that can distinguish between 
k(z) and a random key in /C. 
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That is, an adversary cannot distinguish a key from random unless it may be 
computed from one of the secrets or keys known to the adversary (which im¬ 
plies, in particular, that the adversary can only compute such a key if it can be 
computed from one of those secrets); see Freire et al. [15] for further details. 

2.2 Chain-based Enforcement 

For certain classes of cryptographic enforcement schemes, public information is 
not required. In particular, if X is a chain, then (by definition) there is a unique 
directed path from x io y (in the Hasse diagram of X) whenever y < x. Then 
for y < X, we may define the secret a(y) to be F{a{x)), and k(j/) = H{a{y)), 
where F and FI are suitable one-way functions. Thus, ii y < x, there exist 
Zi,... ,zi € X with y = Zi < Z 2 < • ■ • < Z£ = x; K{y) may be derived from a(x) 
by iteratively deriving a(zi) = F(a(zi+i)), i = i — 1,... ,1, and then deriving 
= H{a{y)) = H{a{zi)). 

This observation has led to the development of chain-based CESs [9,14,15] 
for arbitrary information flow policies. The basic idea is to partition the infor¬ 
mation flow policy {X, ^) into chains and then construct multiple CESs, one for 
each chain. 

More formally, let {X, ^) be a poset and C = xi > X 2 > ■ ■ ■ > Xm be a chain 
in X. Then we say any chain of the form xj > Xj+i > • • • > Xm, 1 ^ J ^ m, is 
a suffix of C] the empty chain is (vacuously) also a suffix of C. 

Proposition 1. For all x € X and any chain C C X, ^x CiC is a suffix of C. 

The above result (due to Crampton et al. [9, Proposition 4]) enables us to 
define, for a given chain partition FI, the secrets that should be given to a user 
u G Ux, since fx defines the labels for which u is authorized. Given a chain 
partition 77 = {C'i,...,Q}, {fxt^Ci,... ,fxf^Ci} is a disjoint collection of 
chain suffixes. Hence, a user in Ux must be given the secrets for the maximal 
elements in the non-empty suffixes 4-a; fl Ci,..., 4-a; fl Ci. Thus, any user requires 
at most 7 secrets. Let (j){x, 77) C X denote this set of maximal elements. (Clearly, 
X G (j){x, 77) for all chain partitions FI and all x € X.) 

Remark 1. Let w be the width of a poset {X, <). Clearly, {X, <) cannot have a 
chain partition with less than w chains. Dilworth’s theorem asserts that there 
exists a chain partition of {X, ^) into w chains [13]. Thus, if we can find a chain 
partition of X into w chains, no user will require more than w secrets. (If u were 
to have more secrets than there are chains in the partition, then there must exist 
a chain containing y and z for which u has secrets and one of the secrets may 
be derived from the other.) 

Freire et al. [15] provide a formal description of the SetUp and Derive algo¬ 
rithms. Informally, the SetUp algorithm performs the following steps: 

1. for each chain Ci in II, select a secret for the top element in Ci and generate 
a secret for each element in the chain by applying the one-way function F 
to the secret of its parent in Cy, 
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2. for each element x G X, generate k{x) by applying the one-way function H 
to a{x); 

3. assign the secrets a{(j){x,n)) {(xiz) : z G (j){x,n)} to each user in Ux- 
The Derive algorithm performs the following steps, given x,y € X and a{(j){x, U)): 

1. if a; = y, then output H(a{x))\ 

2. a y < X, then find z G (j){x,n) such that z ^ y, so there exist z = zq >n 
■ ■ ■>nzt = y, and compute F{a{zo)) = cr(zi),..., F{a{zt-i)) = a{y)\ output 
H((j(y)). 

This scheme has the strong key-indistinguishability property; see Freire et al. [15] 
for further details. 

A user in Ux will need to be given \(j){x, i7)| secrets, in contrast to most CESs 
in the literature in which each user receives a single secret [3,11]. However, chain- 
based CESs have substantial benefits:(i) they require no public information [9]; 

(ii) they can use cryptographic primitives that are very easy to compute; and 

(iii) it is easy to construct schemes with the strong key-indistinguishability prop¬ 
erty [15]. 

2.3 Problem Statement 

Certain aspects of chain-based CESs are not well understood. As we have already 
noted, some users will require multiple secrets, each of which corresponds to a 
unique label in A. In particular, a user u in Ux will require a secret for each chain 
that contains an element y such that y < x. Three chain partitions of the poset in 
Fig. 1 are shown in Fig. 2. We have, for example, 4>{g, Ui) = {b, e, g}, <j){g, II 2 ) = 
{b, d, g}, and (j){g, TI^) = {d, g}. Hence, the number of secrets required, on a per¬ 
user basis and in total, will vary, depending on the chain partition chosen. Thus, 
considering various chain partitions of A, we may ask: 

— How do we minimize fcmax, the maximum number of secrets a user may 
require? 

— How do we minimize K, the total number of secrets required? 

— How do we minimize A, the total number of secrets that need to be issued 
to users? 

More formally, given a chain partition 77 of (A, ^), we may regard ^ as a 
function from A to 2^ that is completely determined by 77. Thus, given a chain 
partition 77, we can define the following values. 

fcmax(C7) max {l(/)(x, 77)1 : a; G A} 

A(77)1l='^ l</)(x,77)l 

7F(77)1^'^ 177,1 •l</)(x, 77)1 
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Fig. 2: Three chain partitions of the poset in Fig. 1 


Values of fcmax and K for the chain partitions in Fig. 2 are shown in Table 1; 
node h is used for illustrative purposes.^ 


Partition 

fih) 

^max 

K 

77i 

{h,e,g,h} 

4 

20 

772 

{h,f,h} 

3 

17 

773 

{9,h} 

2 

13 


Table 1: ^(h), fcmax and K for the chain partitions in Fig. 2 


The important question is: Can we minimize these parameters (over all 
choices of chain partition U for X)1 In short, given an information flow pol¬ 
icy (V, ^), how do we determine 77 for use in a chain-based CES?^ It is this 
question we address in the remainder of the paper. In particular, at the end of 
Section 4, we prove the following result. 

Theorem 1. Let {X, be an information flow poliey of width w and let K 
denote the minimum number of secrets required by a chain-based enforcement 
scheme for X. Then in 0{\X\^w) time, we can find a chain partition 77 for 
which the corresponding chain-based enforcement scheme only requires K secrets 
and fcmax ^ w. 

^ Note that we can deduce K from K by letting \Ux \ = 1 for all x G X. 

^ Crampton et al. [9] observed that further research was needed to identify the best 
choice of chain partition for a given information flow policy. While subsequent re¬ 
search has formalized [14] and strengthened the security properties of chain-based 
CESs [15], we are not aware of any research that specifies how to select a chain 
partition. 



Remark 2. We assume throughout that our information flow policy has a maxi¬ 
mum element. We may assume this without loss of generality: given an informa¬ 
tion flow policy {X, without a maximum element, we simply add a maximum 
element r and define r > m for all maximal elements m in X; no users are as¬ 
signed to r. Observe that such a transformation does not affect the values of 
^max and K. 

3 Computing fcmax and K 

Informally, we take a poset {X, <) and construct a second poset {X, <'), where 
X <' y implies x < y (but x < y does not necessarily imply x <' y). We will say 
is contained in In particular, any chain partition 77 of (X, defines a 
second poset {X, ^n), where x <n y if and only if x and y belong to the same 
chain and x < y; thus is contained in ^ for any 77. Note, however, that 
X <77 y does not necessarily imply x < y.^ 

Given a poset {X, and z < y, we define 

^(yz) = {x € X •. X ^ z,x'^ y}. 

Thus z € ')(yz) and y ^ l(,yz). For the maximum element r G X and any 
y,z G X such that z <y, r ^ l(yz)- Informally, the intuition behind 7 is that 
its cardinality measures the “damage” that would be done by creating a chain 
partition 77 such that z <77 y, because having z <77 y means that z ^77 x for any 
X G j(yz). Thus, every user in Ux will require an extra secret in order to derive 
k{z). We will capture this intuition more precisely in Lemma 1. 

Remark 3. For maximum element r and any chain partition 77 = {Ci ,..., C 7 }, 
(f>{r, 77) = {ti,..., tf}, where U is the maximum element in chain Ci. Moreover, 
r = ti for some i. Hence, we can construct a tree 77 = {X, Gijj), where y <fj x 
if and only if one of the following conditions holds:(i) y = tj, j ^ i, and x = r; 
(ii) y <77 X. 

Figure 3 illustrates the construction of two such trees, using chain partitions 
from Fig. 2; the arcs used to create the trees are shown as dashed lines. 

Lemma 1. Let {X,Gi) be a poset and let II be a chain partition of X. Then, 
for all x,y,z G X such that x ^ r and z <jj y, 

z G 4>{x, 77) if and only if x G 7 (t/z). 

Proof. Given z G 4>{x, 77) and chain partition 77 = {Gi,..., Ci}, yi G (j){x, II) fl Ci 
if and only if Ci n fx is non-empty and 7/7 is the maximum element in Ci n fx 
(Sec. 2.3). Thus, z ^ x. Moreover, x ^ y (otherwise there would exist t G (j){x) 
such that y Gijj t and hence z y Gipj t, violating the condition that z is the 
maximum element in the suffix Ci fl ),x). That is, x G 7 (t/z). 

® To see this, consider the poset of four elements, in which a<b<d and a<c<d with 
h ^ c,c ^ b. Then {{fe} , {c} , {a, d}} is a chain partition and a <77 d, but a -f. d. 



9 




Fig. 3: Creating trees from partitions 7Ti and in Fig. 2 


Now suppose X G liyz). Then x ^ y, hy definition, and hence y does not 
belong to {x C Ci for any i. However, x Z] hence, there exists t G (j){x) such 
that z t. Since 77 is a chain partition, the only parent of 2 : in 77 is y. Hence 
it must be the case that z = t (and thus z G 4>{x)). □ 

Let {X, be an information flow policy and let y, z ^ X with z < y. Then, 
following Crampton et al. [10], we define 

xG'fiyz) 

We will be interested in minimizing the '^ijj{yz), where the sum is taken over 
all pairs {y, z) such that z <jj y. The intuition behind this definition is that it 
captures, in some appropriate sense, the connectivity that is lost from {X, by 
using {X, ^ 77 ). Since every element in {X, ^ 77 ) has at most one parent, y{yz) 
represents those elements in X that become “disconnected” from z by defining 
z <77 y. The next result establishes an exact correspondence between (j){x,n) 
and y{yz), and enables us to use network flow techniques to compute a chain 
partition that minimizes K (as we explain in Sec. 4). 

Theorem 2. Let {X, ^ 77 ) be a ehain partition of {X, with maximum ele¬ 
ment r. Then 

K{n) = t\Ur\+ X 

^<ny 

where i is the number of chains in 77. 

Proof. By definition, 

7F(77)=XlC^-ll</>(a^,^)l = |C^^II</>(c^)l+ X X 

x^X x^X\r z^X 
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where S(x,z) equals 1 ii z € (j){x,n) and 0 otherwise. By Lemma 1, we have 
S(x, z) = 1 if and only if a; G l{yz) for z <jj y. Moreover, y is unique, since U is 
a tree. Therefore, 

X! = XI X = X 

xeX\rzGX z<ny xe'i{yz) z<jjy 

As r ^ X for all x G X, <j)(r,n) must contain exactly one element from each 
chain in 7T. Therefore \Ur \ \4’{r, n)\ = £ |[/j.|, as required. □ 

The following result shows that the number of secrets required by a chain 
partition can be computed by considering only the minimum elements in the 
chain partition. 

Lemma 2. Let 11 = {Ci,... ,Ci} be a chain partition of {X, and let chain 
Ci have bottom element bi, 1 ^i ^ Then 

i i 

Kin) = ^ It&il and Kin) = XX \Ux\. 

i=l i—1 

Proof. We have, by definition, 

k{n) = X = Y, \Ux \|{a : a n^ 0,1 ^ < ni 

xGX xGX 

= X 1 ^ ^ £}| 

xex 

e 

= xx \Ux\ Six, bi) where Six, bi) = 1 ii x ^ bi and 0 otherwise 

x^X j=l 

e e 

= XX i^-i^(^’^*) = X X 

i—1 xGX i—1 xG^bi 

Clearly, we may prove the result for K in an analogous fashion. □ 

In Fig. 2a, for example, the bottom elements are a, c, d and / and |ta| = 8, 
|tc| = 6, |td| = 4 and |t/| = 2. Thus, the number of secrets required in total is 
20. 

Theorem 3. Let iX, he an information flow policy of width w and let K 
denote the minimum number of secrets required by a chain-based enforcement 
scheme for X. Then there exists a chain partition containing w chains such that 

kin) = k. 

Proof. Let 77 be a chain partition of X into t^w chains such that kin) = K 
and let B be the set of bottom vertices in the chains of 77. A result of Gallai 
and Milgram asserts that if a chain partition 77 of a poset (A, contains t 
chains, where t > w, then there exists a chain partition 77' into t — 1 chains 
such that the set of bottom vertices in 77' is a subset of B [16].^ Hence, by 

^ The result is phrased in the language of digraphs, but every poset may be represented 
by an equivalent transitive acyclic digraph. 
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iterated applications of the Gallai-Milgram result, there exists a chain partition 
n* of width w such that the set of bottom vertices B* in U* is a subset of B. 
Moreover, by Lemma 2, 

K{n*) = E E E E 

b^B* beSaGtfc 

By the minimality of K, we deduce that K{II*) = K. □ 

Corollary 1. Let (^, ^) be an information flow policy. There exists a chain 
partition such that the total number of secrets K is minimized and /cmax ^ w. 

Proof. The result follows immediately from Theorem 3, the definition of fcmax = 
max{|(^(a;,7T)| : x G X}, and the fact that \(f){x,n)\ is bounded above by the 
number of chains in 7T for all a; € X. □ 

4 Finding a Chain Partition Requiring K Keys 

Suppose {X, is a poset of width w. In general, a chain partition of X has 
£ ^ w chains. Theorem 3 asserts that there exists a partition of X into w chains 
such that the corresponding enforcement scheme requires the minimum number 
of secrets. We now show how such a chain partition may be constructed. In 
particular, we show how to transform the problem of finding a chain partition 7T 
such that K{n) attains the minimum value into a problem of finding a minimum 
cost flow in a network. 

Informally, a network is a directed graph in which each edge is associated 
with a capacity. A network flow associates each edge in a given network with 
a flow, which must not exceed the capacity of the edge. Networks are widely 
used to model systems in which some quantity passes through channels (edges 
in the network) that meet at junctions (vertices); examples include traffic in 
a road system, fluids in pipes, or electrical current in circuits. In our setting, 
we model an information flow policy as a network in which the capacities are 
determined by the weights w. Our definitions for networks and network flows 
follow the presentation of Bang-Jensen and Gutin [5]. 

Definition 2. A network is a tuple Af = {D, I, u, c, b), where: 

~ D = {V, A) is a directed graph with vertex set V and arc set A; 

— I :V xV such that l(vv') = 0 if vv' ^ A and l(vv') ^ 0 otherwise; 

— u : V X V ^ N such that u{vv') = 0 if vv' ^ A and u{vv') > l{vv') ^ 0 
otherwise; 

— c:V xV 

— & : G —>■ R such that = 0. 

Intuitively, I and u represent lower and upper bounds, respectively, on how 
much flow can pass through each arc, and c represents the cost associated with 
each unit of flow in each arc. The function b represents how much flow should 
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enter or leave the network at a given vertex. If b{x) = 0, then the flow going into 
X should be equal to the flow going out of x. If b{x) > 0, then there should be 
b{x) more flow coming out of x than going into x. If b{x) < 0, there should be 
|6(a:)| more flow going into x than coming out of x. 

Definition 3. Given a network Af = {D,l,u,c,b), a funetion f ■. V ^ N is a 
feasible flow for N if the following conditions are satisfied: 

~ u{vv') ^ f{vv') ^ l(vv') for every vv' & V xV; 

^ Y.v'&vU\vv') - fiv'v)) = b{v) for every v €V. 

The cost of f is defined to be 

X! c(w')/(w'). 

vv' 


Our aim is to find a tree 11 such that 11 is a chain partition of X with w 
chains that minimizes K. To do this, we will construct a network J\f such that 
the minimum cost flow of J\f corresponds to the desired tree. We can then find 
the minimum cost flow of J\f in polynomial time. 

In n, we want every vertex except r to have at most one parent and at most 
one child. We cannot represent this requirement directly in a network. However, 
we can use the vertex splitting procedure [5] to simulate it. Specifically, given 
poset {X, ^), define X-^ = {x-m '■ x € X \ {r}} and Xout = {a^out : x G X}; and 
define u' ^ u if and only if either v = x-m and v' = Xout for some x G X \ r, 
OT V = Xout and v' = y-m for some x,y € X such that y < x. We now add a 
minimum element _L, where _L ^ Xout for all a; G X. 

Then define D = (Wn U Xout U {T} , A), where xy € A ii and only ii y x, 
and the network (D, I, u, c, b), where 


l{vv') 


u{vv') 


c(vv') 


b{v) 


if V = Xin.w' = Xont,X € X\r 

otherwise; 

ii v' ^ V 
otherwise; 


u}{xy) a V = Xout,v'= yin,y if X 
0 otherwise; 


{ w if V = rout 
—w if V = T 
0 otherwise. 


We call this network the network chain-representation of {X, ^). Note that any 
feasible flow / for this network must have 0 ^ f{xy) ^ 1 for all xy G A. 

Lemma 3. Let J\f he the network chain-representation of poset (X, ^). Then 
the minimum number of secrets required by a chain-based enforcement scheme 
for (X, with w chains is w \ Ur \ -\- f, where f is the minimum cost of a feasible 
flow in N■ 
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Proof. Suppose we are given a chain partition U with w chains. Then we may 
construct the tree U. Consider the following flow: 


/*(^in^out) — 1 
f {XoutUin) — 1 

f{Xout-L) = 1 

/ = o 


for all a: G X \ r; 

if y <i7 a;; 

if a; is a bottom element in a chain in 11; 
otherwise. 


Then we can show that / is a feasible flow. Indeed, by construction all arcs xy 
satisfy u{xy) ^ f{xy) ^ l{xy). In the graph formed by arcs xy with f{xy) = 1, 
it is clear that every vertex x has in-degree and out-degree 1 , except for Tout 
and T. As there is one element y such that y <fjr for each chain in 77, rout has 
in-degree 0 and out-degree w in this graph, and similarly T has in-degree w and 
out-degree 0. As all arcs xy have f{xy) = I or f{xy) = 0, we have that 

~ = b{x) 

vev{D) 

for all X, as required. Moreover, the cost of / equals ’^^^^ytoiyx). 

Conversely, suppose / is a feasible flow for Af. Then we define y <f x ii and 
only if /(xout, yin) = 1- For each x G X\r, the arc XinXout is the only in-coming 
arc for Xout and the only out-going arc for Xi„ in D, and by definition of Af, 
/(xinXout) = 1 - As b{xin) = b{xout) = 0 and all in-coming arcs for Xi„ are of the 
form youta^ini it follows that there is exactly one element y G X such that x<fy, 
and at most one element z G X such that z<f x. As b{ro^t) = w and rout has no 
in-coming arcs in 77, and all its out-going arcs are of the form Touta^in, there are 
exactly w elements y such that y <f r. Let these elements be labelled ti,... ,tw 

Now choose an arbitrary i, 1 i ^ w, and define y <n x if and only if x = r 
and y = ti, or X ^ r and y <f x. Then for every element x G X, there is at most 
one element y G X such that x <n y, and at most one element z G X such that 

2 ; <77 X . 

It is easy to see that <77, the reflexive, transitive closure of <77, defines a 
chain partition of X. (Observe that as D is an acyclic digraph, the transitive 
reflexive closure of <77 is antisymmetric, and therefore a partial order. The fact 
that {X, ^77) is a chain partition can be shown by induction on |A|, considering 
X with a minimal element removed for the induction step.) By construction, 
the only maximal elements for Gin are r and the elements tj for j ^ i. Thus, 
(A, ^77) has w chains. 

Recall the definition of <jj, that j/<^x if and only if either y<nx, or y = tj, 
j ^ i, and x = r. Note that <^7 is exactly the relation </. By Theorem 2, the 
number of secrets required by 77 is 

W \Ur\ + ^ W(y^)- 

z<ny 

As z<jjy if and only if /( 7 /outAn) = 1, c(7/outAn) = and c(uv) = 0 for all 

other arcs with f{uv) = I, we have that exactly the cost of /, 

as required. □ 
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Lemma 4. We can find a minimum cost flow for J\f in 0{\Xflw) time. 

Proof. The Negative Cycle algorithm (see [1, §5.3], for example) finds a minimum 
cost flow for a network with n vertices and m arcs in time 0(nm?CU), where C 
denotes the maximum cost on an arc, and U denotes the maximum of all upper 
bounds on arcs and the absolute values of all balance demands on vertices. By 
construction of Af, we have that n = 2\X\ = 0(|X|), m = Oirfl) = 0(|Xp), 
C = ma.x{(jj{xy) : xy € = 0(|X|), U = 1 and C = w. Thus we get the 

desired running time. □ 

Remark 4- Strictly speaking, the Negative Cycle algorithm assumes that all 
lower bounds on arcs are 0. However, we can satisfy this assumption, given 
Af = {D, I, u, c, b), by defining the network Af' = {D, I', u', c, b'), where 

l'{xy) = 0 b'{x) = b{x) — l{xy) 

u'{xy) = u{xy) - l{xy) b'{y) = b{y) + l{xy) 

Then the minimum cost flow /' for Af will have cost exactly K^y)cixy) less 
than the minimum cost flow for Af, and f can be transformed into a minimum 
cost feasible flow / for Af by setting f{xy) = f'{xy) + l{xy). 

We are now able to prove our main result, which is, essentially, a corollary 
of Theorem 3 and Lemmas 3 and 4. 

Proof (of Theorem 1). By Theorem 3, there exists a chain partition that has 
exactly w chains, for which the corresponding chain-based enforcement scheme 
only requires K secrets. Then by Lemma S, K is equal to the minimum cost of 
a feasible flow in Af, the network chain-representation of (X, ^). By Lemma 
4, such a flow can be found in 0{\X\‘^w) time, and this flow can be easily 
transformed into the corresponding chain partition 11. Finally, by definition of 
(j){x,n), \(j){x,n)\ < w for each x G X and therefore fcmax ^ rc. □ 

5 Concluding Remarks 

Cryptographic enforcement schemes (CESs) fall into two broad categories: those 
that use symmetric cryptographic primitives and those that use asymmetric 
ones (notably attribute-based encryption [6,17]). The focus of this paper is on 
symmetric schemes, which may be characterized by(i) the total number of secrets 
required, (ii) the number of secrets required per user, (iii) the total amount of 
public information required for the derivation of secrets, and (iv) the number of 
derivation steps required. 

Until recently, symmetric CESs for information flow policies have assumed 
each user would be given a single secret, from which other secrets and decryp¬ 
tion keys would be derived using public information generated by the scheme 
administrator (see, for example, [3,11]). In this setting, there is a considerable 
literature on the trade-offs that are possible by reducing the number of steps 
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required for the derivation of secrets, at the cost of increasing the amount of 
public information (see, for example, [4,8,12]). 

One drawback of these types of CESs is that the administrator must generate 
and publish information to facilitate the derivation of secrets (and decryption 
keys). Moreover, the amount of public information required may be substantial, 
particularly when security labels are defined in terms of (subsets of) attributes. 
Chain-based CESs obviate the requirement for public information, the trade¬ 
off being that each user may require several secrets. The chain-based approach 
may well be much more practical, particularly if the poset is large and its Hasse 
diagram contains many edges (as in a powerset, for example). Moreover, chain- 
based CESs may be implemented using one-way functions, typically the fastest 
of cryptographic primitives in practice. 

However, it was not known which choice of chain partition was most appro¬ 
priate for a given information flow policy. Our work provides formal and practical 
methods for constructing a chain partition with the smallest number of keys in 
total, with the additional property that no user is required to have more than 
w keys, where w is the width of the information flow policy. 

One question remains: If there exist multiple chain partitions that minimize 
the number of keys in total and per-user, which of these should we choose and 
can we compute it efficiently? The one parameter that our work does not address 
is the number of derivation steps d required by a user in the worst case. Our 
future work, then, will attempt to find a polynomial-time or fixed-parameter 
algorithm that takes a poset as input and outputs a chain partition into w chains 
that minimizes d. We also hope to investigate whether the insight provided by 
Lemma 2—that K{n) is completely determined by the bottom elements in 77— 
can be exploited to design an algorithm whose performance improves on that of 
the algorithm described in Section 4. 
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